CHALLENGE A – Meaningful IT Assurance

CHALLENGE A: Is it feasible to provide ordinary citizens access to affordable and user-friendly end-2-end IT services with constitutionally-meaningful* levels of user-trustworthiness, as a supplement to their every-day computing devices? If so, how? What scale of investments are needed? What standards/certifications can enable a user to reliably distinguish them from other services?

No standards or certifications exist today that are comprehensive enough to even remotely allow a user to meaningfully assess the trustworthiness of a given end-2-end IT service. Nor any end-2-end IT service or system is available that does not contain multiple “black boxes”, i.e. critical technical or organizational components which require blind trust in something or someone.

Constitutionally-meanigful?! “While perfect assurance is impossible, we will say that a given end-2-end IT service and its related lifecycle has constitutionally-meaningful levels of trustworthiness when its levels of confidentiality, authenticity, integrity and non-repudiation are sufficiently high to make its use, in ordinary user scenarios, rationally compatible to the full and effective Internet-connected exercise of their core civil rights, except for voting in governmental elections. In more concrete terms, it is end-2-end ICT service and lifecycle that warrants extremely well-placed confidence that an attacker aiming at continuous or pervasive compromisation would incur costs and risks that exceed the following: (1) for the comprimisation of the entire lifecycle, the tens of millions of euros, significant discoverability and unlikely liability, that are typically sustained by well-financed and advanced public and private actors, for high-value supply chains, through legal and illegal subversions of all kinds, including economic pressures; or (2) for the comprimisation of a single user, the tens of thousands of euros, and a significant discoverability, such as those associated with enacting such level of abuse through on-site, proximity-based user surveillance, or non-scalable remote endpoint techniques, such as NSA TAO”.

State of Security of commercial and high-assurance IT systems

Nowadays, IT security and privacy are a complete debacle from all points of view, from the ordinary citizen to the prime minister, from baby monitor to critical infrastructure, to connected cars and drones.

A lack of sufficiently extreme and comprehensive standards for critical computing, and the decisive covert action of states to preserve pre-Internet lawful access capabilities, have made so that, while unbreakable encryption is everywhere, nearly everything is broken; and while state-mandated or state-sanctioned backdoors are nearly everywhere1, the most skilled or well-financed criminals communicate unchecked.

All or nearly all endpoints, both ordinary commercial systems and high-trustworthiness IT systems, are broken beyond point of encryption, and scalably exploitable by powerful nations and a relatively large number of other mid- or high-level threat actors.

EU citizens, businesses and elected state officials have no access, even at high cost, to IT and “trust services” that are NOT remotely, undetectably and cheaply compromisable by a large number of medium- and high-threat actors. Criminal entities that are most well-financed avoid accountability through effective use of ultra-secure IT technologies, or by relying mostly on advanced non-digital operational security techniques (OpSec). National defenses are increasingly vulnerable to large-scale attacks on “critical infrastructure” by state and non-state actors, increasingly capable of causing substantial human and economic harm.

The critical vulnerabilities that make nearly everything broken are nearly always either state-mandated or state-sanctioned backdoors, because the state has either created, acquired or discovered them, while keeping that knowledge hidden, legally or illegally.

Nearly all critical computing services include at least some critical components whose complexity that is way beyond adequate verifiability. Design or fabrication of critical components or processes (CPU, SoC fabrication, etc.) are not publicly verifiable, and there are no reasons to trust providers’ carefulness and intent, when plausible deniability is very easy, liability is almost non-existent, and state pressures to accidentally leave a door open are extremely high.

Everything is broken mostly because of two structural, and highly interlinked, problems:

The lack of sufficiently extreme and comprehensive standards for high-assurance IT services that provide meaningful confidence to end-users that the entire life-cycles of their critical components are subject to oversight and auditing processes, that are comprehensive, user-accountable, publicly-assessable, and adequately intensive relative to complexity.

The decisive actions taken by state security agencies to maintain pre-Internet lawful access capabilities– since the popularization of algorithmically-unbreakable software encryption in the 1990s – through huge sustained investments in the discovery and creation of critical vulnerabilities, permeate the life-cycle and supply chain of virtually all ordinary and high-assurance IT technologies. Furthermore, the covert nature of such programs has allowed such agencies (and other advanced actors) for decades to remotely and cheaply break into virtually all end-points thought to be safe by their users – with extremely vague accountability – as well as covertly overextend their preventive surveillance capacities.

After Snowden, nearly all IT privacy activists are up in arms to fight what they see as a 2nd version of the 1990s’ Crypto Wars to prevent backdoors in IT systems from being mandated by nations in the wake of “terrorism threats”. Meanwhile, they overwhelmingly refrain from proposing anything about what we should do about those state backdoors and critical vulnerabilities that already exist everywhere. Almost no-one challenges state security agencies pretence that they are “going dark” to trumpet how much they are missing capabilities to enable lawful access, when they overwhelmingly are not, not even for scalable targeted attacks. Most activists are focused on:

(a) pushing existing Free/Open Source Software privacy tools to the masses, while making them more user-friendly and incrementally safer with small grants (no matter if from USG) and

(b) going full-out there to fight a 2nd Crypto War to prevent the government to create a state backdoor.

First off, the Crypto Wars in the 1990’s were won in appearance, but utterly lost in essence. In fact, while the US and other governments backtracked on their proposal for an ill-conceived mandatory backdoor (such as the Clipper Chip) and algorithmically-unbreakable encryption became accessible to anyone, the most powerful states security agencies won many times over. In fact, over the following two decades:

(1) powerful state security agencies have surreptitiously and undetectably placed backdoors nearly everywhere, with nonexistent or very insufficient due process oversight, compared to the already inadequate oversight lawful interception systems;

(2) Tons of valuable targets, even very “up there”, have kept using IT devices that they thought lacked backdoors, but which had been snooped upon for years or decades without their knowledge;

(3) The general perception that “free crypto for all” had won prevented even a demand for meaningful IT devices to be developed, which could minimize, isolate, simplify and do away with the need of trust in very many of untrustworthyactors along critical phases of the device life-cycle.

A mix of government self-serving disinformation and self-interested over-representation of the strength of current FLOSS solutions has brought many to believe that endpoint exploitation of well-configured FLOSS device setup is not scalably exploitable by advanced attackers.

Many of such IT privacy activists and experts over-rely on NSA documents’ reference to the fact that some advanced attackers take care not to overuse certain exploitation techniques to avoid burning them. But careful analysis of the capabilities of NSA Turbine, NSA FoxAcid, Hacking Team RCS document shows how advanced endpoint exploitation techniques allow them to scale highly and prevent such “burning” risk by using exploits that are beyond the ability of the target to discover, and other techniques. More recently, one leader of such activists, Jacob Appelbaum, said clearly (min 37.15-38.15): “It does seem to indicate to me that cryptography does stop them … I have seen that the Tor browser stops them from doing passive monitoring, and they have to switch to targeted. And that’s good. We want them to go from bulk, or mass, surveillance to targeted stuff. Now, the targeted stuff, because it is automated, is not different in scale but just different in methodology, .. actually. And usually they work together“

All the while, the media success of such security agencies in wildly overstating the “going dark” problem has enabled them to gather substantial political and public opinion consensus for:

(2) convincing politicians and the public opinion of the need to “outlaw” encryption and/or extend inadequate lawful access mandate, traditionally reserved to telephone operators, to all digital communications.

All the while, by breaking everything, they expose US government, US private interests, and law enforcement and intelligence to grave damage for state security and espionage by foreign states and non-state actors.

Impact on IT Security Business

EU IT security/privacy service/systems providers are increasingly unable to sustainably compete and innovate as they are unable to differentiate on the basis of meaningful and comprehensive benchmarks. They are also increasingly unable to convince users to investing in fixing vulnerabilities in one part of their systems, when most-surely many vulnerabilities remain in other critical parts, which are known to the same kind of threat actors. In a post-Snowden world, the success of even high-assurance cyber-security systems is increasingly “security theatre“, because even the highest-assurance systems in the civilian market contain at least one critical vulnerability, accessible in a scalable way by even mid-level threat actors, with very low risk of discoverability and attribution.
So therefore it is almost impossible to measure and sustain the current overall security added value of any new security service, and related risk management strategies, even before assessing the increase in attack surface and vulnerabilities that any new product entails. The only reliable measure of the effectiveness of an high-assurance IT security provider, private and public, relies on its “closeness” to major stockpilers of vulnerabilities, mostly few large powerful states, creating pervasive intelligence network effects2, gravely undermining society sovereignty, freedoms and competitiveness.

As blogger Quinn Norton said, everything is broken. Revelations about systems and programs like NSA Turbine, NSA’S FoxAcid and Hacking Team, have shown the huge scalability – in terms of low risk and cost – of completely compromising of endpoint devices, by numerous public and private actors, and even more numerous actors that do or could trade, lend or steal such capabilities. It’s become clear that no IT system that assumes need for trust in any one person or organization – and there are none today – can be considered meaningfully trustworthy.

The exception to this rule is that there are some people in the world – top criminals, billionaires, or highest state official – who do have access to devices that are most likely not compromised by external entities. This results in a huge asymmetry of power between them and all others, i.e. two sets of citizens.

This situation will not be changed by a nation’s law, or international treaty. Stockpiling of zero day vulnerabilities, through investment in discovery, creation and purchase by powerful state and non-state actors will keep accelerating, and there is no chance any law or international treaty can significantly slow an acceleration of stockpiling of 0-days. Non proliferation of IT weapons is very different from other weapons like biological and nuclear, as their nature makes them easier to hide and reproduce, and they are used and spread daily by powerful actors to pursue their cyber-investigation goals.

In summary, there is a wide unavailability, for both citizens and for lawful access schemes, of end-2-end IT services of meaningfully high-trustworthiness levels.

The problem with current certifications and certifications governance

Over the last decades, in addition to sanctioning backdoors everywhere, states have repeatedly proven to be utterly incapable of either socio-technically designing, or legally managing, or issuing proper technical and organizational certification requirements for lawful access compliance. Fittingly, states have been similarly unable to create voluntary or mandatory IT security standards that would be anything like sufficiently extreme and comprehensive.

A recent ENISAreport, highlights: “At the time of writing, there is no single, continuous ‘line of standards’ related to cyber security, but rather a number of discrete areas which are the subject of standardisation”. The current EUCybersecurityStrategy (2013) calls for new standards and certification schemes – including supply chains and hardware – and calling for “a renewed emphasis on dialogue with third countries, with a special focus on like-minded partners that share EU values”, “possibly establish voluntary EU-wide certification schemes building on existing schemes in the EU and internationally”. Recognizes “the need for requirements for transparency, accountability and security is becoming more and more prominent”. Nonetheless, ECSEL and EDA no “EU computing base” exist in most IT domains that is even publicly verifiable in all its critical parts.

Consensus-based decision making processes at the core of EU institutions – and international public and mixed standard-setting bodies (such as ETSI) – have made it impossible to resist the firm will of even a single powerful country to corrupt or dilute-to-meaninglessness the standard setting process.

Industry driven standards are no better; standards bodies like Trusted Computing Group and Global Platform have focused on increasing user convenience, interoperability and reducing overall costs of violations to content copyright and integrity of financial transactions, while playing lip service to the security and privacy demands of end-users that were at odds with state security agencies.

So therefore, the governance of such paradigms and certifications may need to be primarily independent, international, highly-competent and citizen-accountable, and the role of the national, and international governmental institutions (EU, UN, etc) – and major global IT industry players – can only be that recognizers, adopters, and minority stakeholders. A process similar to that of the World Wide Web Consortium could be followed, but with much wider user- or citizen-accountability to keep companies from having too much control.